Bug 1381717

Summary: atomic scan failed if a system container image exists
Product: Red Hat Enterprise Linux 7 Reporter: Qian Cai <qcai>
Component: atomicAssignee: Giuseppe Scrivano <gscrivan>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact: Yoana Ruseva <yruseva>
Priority: high    
Version: 7.3CC: ajia, dwalsh, gscrivan, yruseva
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-06 17:42:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Qian Cai 2016-10-04 19:53:43 UTC 
Description of problem:
# atomic install --system --name=etcd brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel7/etcd:latest

# ostree refs
rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
ociimage/76ba6342472d4504bb7a45b182e0fe355ca72f4b3a4853581e27493ba84084ac
ociimage/9b88b2c7a70f3746ba74ae47b2b634466cecdb6dee647b499062bcd150c1f2e7
ociimage/221c0f90f54c915d563412571904bcdf602cf3912d37141d3d178f3ded2e395d
ostree/0/1/0
ostree/0/1/1
ociimage/rhel7/etcd-latest

# atomic --debug scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7
Created /run/atomic/2016-10-04-19-48-18-117671
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-10-04-19-48-18-117671:/scanin -v /var/lib/atomic/openscap/2016-10-04-19-48-18-117671:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Created /run/atomic/2016-10-04-19-48-18-117671/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861
Mounted {u'Created': 1473186186, u'Labels': {u'distribution-scope': u'public', u'build-date': u'2016-09-06T14:12:54.553894Z', u'Vendor': u'Red Hat, Inc.', u'Name': u'rhel7/rhel', u'Build_Host': u'rcm-img-docker02.build.eng.bos.redhat.com', u'vcs-type': u'git', u'vcs-ref': u'08780b7a7779335cf28f64654e43c75ad9341c77', u'release': u'104', u'Version': u'7.2', u'Architecture': u'x86_64', u'Release': u'104', u'BZComponent': u'rhel-server-docker', u'Authoritative_Registry': u'registry.access.redhat.com', u'com.redhat.build-host': u'rcm-img-docker02.build.eng.bos.redhat.com', u'architecture': u'x86_64'}, 'ImageId': u'98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861', u'VirtualSize': 201376319, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7', u'RepoTags': [u'registry.access.redhat.com/rhel7:latest'], u'RepoDigests': None, u'Id': u'98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861', 'ImageType': 'Docker', u'Size': 201376319} to /run/atomic/2016-10-04-19-48-18-117671/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861
Creating the output dir at /var/lib/atomic/openscap/2016-10-04-19-48-18-117671
INFO:OpenSCAP Daemon one-off evaluator 0.1.5
INFO:Autodetected "oscap" in path "/usr/bin/oscap".
INFO:Autodetected "oscap-ssh" in path "/usr/bin/oscap-ssh".
INFO:Autodetected "oscap-vm" in path "/usr/bin/oscap-vm".
INFO:Autodetected "oscap-docker" in path "/usr/bin/oscap-docker".
INFO:Autodetected "oscap-chroot" in path "/usr/bin/oscap-chroot".
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Autodetected SCAP content at "/usr/share/openscap/cpe/openscap-cpe-oval.xml".
INFO:Autodetected SCAP content in path "/usr/share/xml/scap/ssg/content".
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Had a local version of /var/lib/oscapd/cve_feeds/com.redhat.rhsa-RHEL7.xml but it wasn't new enough
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'chroot:///scanin/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861'

registry.access.redhat.com/rhel7 (98a88a8b722a718)

The following issues were found:

     RHSA-2016:1940: openssl security update (Important)
     Severity: Important
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-1940.html
       RHSA ID: RHSA-2016:1940-01
       Associated CVEs:
           CVE ID: CVE-2016-2177
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2177
           CVE ID: CVE-2016-2178
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2178
           CVE ID: CVE-2016-2179
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2179
           CVE ID: CVE-2016-2180
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2180
           CVE ID: CVE-2016-2181
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2181
           CVE ID: CVE-2016-2182
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2182
           CVE ID: CVE-2016-6302
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-6302
           CVE ID: CVE-2016-6304
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-6304
           CVE ID: CVE-2016-6306
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-6306


Files associated with this scan are in /var/lib/atomic/openscap/2016-10-04-19-48-18-117671.

Unmounted /run/atomic/2016-10-04-19-48-18-117671/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b234100bd4861
g-io-error-quark: Refspec 'ociimage/9a011419912964fc07dca28c1276beee515c6d6546b1dc75cba05f6c350a6cbf-latest' not found (1)
Traceback (most recent call last):
  File "/bin/atomic", line 186, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/scan.py", line 169, in scan
    self.record_environment()
  File "/usr/lib/python2.7/site-packages/Atomic/scan.py", line 395, in record_environment
    environment['images'].append(self._inspect_image(image=iid))
  File "/usr/lib/python2.7/site-packages/Atomic/atomic.py", line 254, in _inspect_image
    return self.syscontainers.inspect_system_image(image)
  File "/usr/lib/python2.7/site-packages/Atomic/syscontainers.py", line 607, in inspect_system_image
    return self._inspect_system_branch(repo, imagebranch)
  File "/usr/lib/python2.7/site-packages/Atomic/syscontainers.py", line 610, in _inspect_system_branch
    commit_rev = repo.resolve_rev(imagebranch, False)[1]
Error: g-io-error-quark: Refspec 'ociimage/9a011419912964fc07dca28c1276beee515c6d6546b1dc75cba05f6c350a6cbf-latest' not found (1)

Version-Release number of selected component (if applicable):
atomic-1.12.3-2.el7.x86_64
atomic host 7.3 d3fa3283db8c5ee656f78dcfc0fcffe6cd5aa06596dac6ec5e436352208a59cb

How reproducible:
always

Additional info:
ostree refs --delete ociimage/* or atomic uninstall <system containers> makes atomic scan works again.
Comment 1 Daniel Walsh 2016-10-04 20:54:20 UTC 
Giuseppe any idea why this is failing on system containers?
Comment 3 Giuseppe Scrivano 2016-10-05 09:03:04 UTC 
I have just opened a PR upstream to address this issue:

https://github.com/projectatomic/atomic/pull/680
Comment 4 Daniel Walsh 2016-10-05 12:15:01 UTC 
I have merged that fix.

Lets mark this as fixed in atomic-1.13
Comment 6 Alex Jia 2016-11-03 03:06:08 UTC 
It works well in atomic-1.13.1-2 and atomic-1.13.6-1, so moving the bug to VERIFIED status.
Comment 8 errata-xmlrpc 2016-12-06 17:42:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2857.html